CVE-2020-36875

AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, resulting in remote code execution.

CVSS

No CVSS.

References

Link	Resource
https://accessally.com/software-release/accessally-3-3-2/
https://wpscan.com/vulnerability/c644de6d-098d-4889-b75d-53fd2b89ff4d/
https://www.vulncheck.com/advisories/accessally-unauthenticated-arbitrary-php-code-execution
https://wpscan.com/vulnerability/c644de6d-098d-4889-b75d-53fd2b89ff4d/

Configurations

No configuration.

History

09 Jan 2026, 19:16

Type	Values Removed	Values Added
References	~~() https://wpscan.com/vulnerability/c644de6d-098d-4889-b75d-53fd2b89ff4d/ -~~	() https://wpscan.com/vulnerability/c644de6d-098d-4889-b75d-53fd2b89ff4d/ -

09 Jan 2026, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-09 17:15

Updated : 2026-01-09 19:16

NVD link : CVE-2020-36875

Mitre link : CVE-2020-36875

CVE.ORG link : CVE-2020-36875

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2020-36875", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-09T17:15:50.263", "references": [{"url": "https://accessally.com/software-release/accessally-3-3-2/", "source": "disclosure@vulncheck.com"}, {"url": "https://wpscan.com/vulnerability/c644de6d-098d-4889-b75d-53fd2b89ff4d/", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/accessally-unauthenticated-arbitrary-php-code-execution", "source": "disclosure@vulncheck.com"}, {"url": "https://wpscan.com/vulnerability/c644de6d-098d-4889-b75d-53fd2b89ff4d/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Received", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "AccessAlly WordPress plugin versions prior to\u00a03.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, resulting in remote code execution."}], "lastModified": "2026-01-09T19:16:02.453", "sourceIdentifier": "disclosure@vulncheck.com"}